If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Microsoft Metadata forensics

Attached is a zip file containing these docís necessary to complete this tutorial

Metadata is data held by a file that contains information that is used by the program that made it. Thatís not an official definition, thatís my definition. What this tutorial will do is show you one way to extract information that may prove useful to an investigation or whatever. What makes this tutorial so damn cool, is that Iíll be using docís from a government about WMD in Iraq, that was released to the public. Reporters used metadata to see who had access to this file, and who edited it, and someone got it trouble because of it. Lets get startedÖ

Download the zip, extract its contents. Open blair.doc with notepad, or other non rich text format text editor. You should see a bunch of nonsense, crap characters. In order to make this into a more readable text, you can use notepads find / replace tool. Tell it to find spaces and replace them with nothing. Mess around with it and it will clean up. It will probably me faster to manually delete the large white spaces.

Near the bottom, you should start to see some file paths. This is what we are going to cover. In Tut2.txt, I provided a clean version of the meta. In tut3.txt, I deleted the crap around the file paths, and you can see whats important. In tut4.txt, I cleaned it up to a very readable format. So quick summary:

Open .doc with nonrich text editor
Clean up text
Find intresting info
Clean up more
Organize and investigate

What we have are a bunch of usernames, and paths. These paths represent where the users saved this document. So what does this mean???
These users all had access to the file. This is a trail. All these names took part in making this file. You can even see that ablackshaw transferred the file on a floppy disk, and MKahn uses WINNT. Turns out these people are:

Just to let you know, this was a very important .doc that I attached. I got it from the site linked above.
Quote from the site-

Microsoft Word documents are notorious for containing private information in file headers which people would sometimes rather not share. The British government of Tony Blair just learned this lesson the hard way.
Back in February 2003, 10 Downing Street published a dossier on Iraq's security and intelligence organizations. This dossier was cited by Colin Powell in his address to the United Nations the same month. Dr. Glen Rangwala, a lecturer in politics at Cambridge University, quickly discovered that much of the material in the dossier was actually plagiarized from a U.S. researcher on Iraq.
Back in February, I passed along these 4 names to Dr. Rangwala who then provided them to a number of reports in the UK. One reporter quickly identified the four individuals as:
Paul Hamill - Foreign Office official
John Pratt - Downing Street official
Alison Blackshaw - The personal assistant of the Prime Minister's press secretary
Murtaza Khan - Junior press officer for the Prime Minister

During the week of June 23, 2003, the British Parliament held hearings of the Blair Dossier and other PR efforts by the UK Government leading up to the Iraq war. Alastair Campbell of the UK Communications Information Centre was put in the hot seat and had to explain the dossier plagiarism and details of the revision log.

Thats a different tutorial, huh? Itís almost like you got Alastair Campbell in trouble yourself.

Lesson:
Metadata in Word documents. They can be used to prove something, or altered to hide something. As long as you know its there, then you have the potential to use it for good.

If you didn't see this, Microsoft released a metadata cleaning tool, although it only works for Office 2003 of which many people havent upgraded to yet...including us. Gee, thanks Microsoft Would have been nice if they supported Office 2000 but that would go against the make-more-money initiative by dribbling out minor upgrades.